Proactive & Reactive Risk Management

I was recently working with a company who didn’t understand the difference between proactive and reactive risk management on product development projects.  Oh sure, they could explain the concept in a meeting, but their business practices told a different story. 

First, let’s acknowledge that we need both.  Proactive risk management can avoid and minimize risks.  But sometimes the unexpected happens and we need to respond to it when it does.   A strong risk management approach will periodically assess the project to identify risks and proactively take actions to avoid and mitigate negative risks while enhancing and leveraging positive risks.  And at the same time, the risk management approach will be constantly assessing progress and variances – both technical and project progress – to determine when unexpected conditions have occurred.  An analysis of those conditions will lead to appropriate corrective actions or responses.

Risk Events

Let’s look at the attributes of proactive and reactive risk management, at least as they apply to technology or product development project.  Risk is defined by the Project Management Institute as, “An uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.”  There are three aspects I want to highlight.  First it is an uncertain event.  Second it can be both positive and negative.  And third, it effects on or more project objectives. 

Proactive risk management focuses on identifying the uncertain events and estimating the effects of the objectives.  Reactive risk management starts with the unexpected effects and attempts to determine the events that caused those effects.  In both cases, actions are taken to protect the project goals.  However, in proactive risk management, an action is taken to avoid or prevent a negative effect or to enable or enhance a positive effect.  In contrast, with reactive risk management an action is taken to recover or compensate for the already existing unexpected negative effect on the goal or an action is taken to lock in the benefits from an already existing unexpected positive effect on the goal.

Effective risk management needs to include both proactive and reactive elements. It is obvious that if you don’t do either, disaster is likely to strike your project.  But even if you do one, but not the other, disaster is still likely to strike.  Let me illustrate using the experiences of the company I mentioned earlier.    

Proactive without Reactive Risk Management

This company did proactive risk management for project risk events.  They conducted a risk analysis shortly after the project started where they considered a variety of project risk events that could affect the project.  These included schedule issues, resource issues, and some technical issues.  The risk analysis was captured in a risk register, proactive risk responses were identified and most were implemented.  And that was the last time that project risk was discussed on the project until the accumulating disasters caused the project to be cancelled two years later.

Proactive risk management was done and the actions taken were good ones.  But the company and project team did not regularly assess project performance with respect to cost and schedule goals.  They just kept changing the schedule and throwing resources at problems.   There were ample signs that other unexpected events had occurred and that the project plan and project approach was not working.  However, the project team did not stop to assess what was going on and analyse the project to determine the root cause or causes of the risk events.  Therefore they never took appropriate corrective actions.  Finally two years into the project, they were approximately 18 months behind to the original schedule and the spending was nearly double the original budget. 

Reactive without Proactive Risk Management

While the company did proactive risk management with respect to project goals, they did not do any proactive risk management with respect to technical goals.  This was a development project using emerging technology and it was pushing that technology to an order of magnitude improvement in several of the key technical performance characteristics.  In addition, the product was evolving from a complex mechanical product to a system involving complex mechanical elements, electronics, software, and systems integration with other customer systems.  The project team did not do any proactive technical risk assessment.  In fact technical risk was never discussed in their project reviews – just technical problems. 

The technical problems were addressed using a reasonable and effective reactive risk management approach.  As a problem was identified, a root cause analysis was performed and a solution was created to solve that problem.  But since no proactive risk management was done, the solutions often then created even more technical problems.  And when a technical problem was finally solved, it would just unmask the next technical problem.  The project went through a continuous set of technical problems and issues, with the result that despite dozens of systems being constructed, none of them was ever fully compliant with the specifications.  Finally, after two years of work, the design team reported to management that the current design approach was not robust enough to ever meet the customer’s use requirements.   If the company wanted a product that would be satisfactory to the customer, they would need to restart the development project with an entirely new concept.

Combining Proactive and Reactive Risk Management

If the company had effectively combined both proactive and reactive risk management approaches around either the project or technical goals, the situation would have been recognized much sooner and the project could have been salvaged.  The proactive project risk management made some good project enhancements.  If it had continued to monitor for risk, it would have identified that something wasn’t right with the technical approach and corrective actions could have been taken.  The reactive technical risk management continually fixed one problem after another, but a proactive analysis would have identified that the fundamental concept was too risky and a different approach would have been used.

The lesson for project managers is to do proactive risk management early in the project.  And then monitor performance, identify variances and do effective root cause analysis as the project progresses.  These complementary approaches should lead to project success.